2 Copyright (c) 2004-2006 Daniel B. Cid <daniel.cid@gmail.com>
6 How the active response works internally:
8 - Read active-response.txt for details on configuration
11 1 - The analysis server receives an event that matches the
12 active response policy.
14 2 - The analysis server verifies that all required fields
15 are provided with the event. It means that the analysis
16 server was able to decode the event and extract the
17 necessary information. One example is if it was able
18 to extract the IP address from the event to send to
19 the firewall to be blocked.
21 3 - If the active response policy specify that the action
22 must be executed locally on the AS, a message is sent
23 to the execd directly.
25 4 - If the active response policy specify that the action
26 must be executed remotely, a message is sent to the
27 "Active response forwarder" (remoted) to forward the
28 event to the specified agent.